openstack/manila
Code Issues Proposed changes

Use common code within manila.policy module

Browse Source 
Rewrote 'init' and 'reset' functions for using same
functionality from common code of policy enforcer.
Changed path to test policy file, because policy enforcer
uses method of oslo.config 'find_file', that was not used before,
and does not know about test policy file.

Partially-implements blueprint use-common-code
Change-Id: I26ed170d39ed183899ee4420dc04d512cf3172e2
This commit is contained in:
Valeriy Ponomaryov 2014-07-24 06:20:38 -04:00
parent c8112434eb
commit 284936f43b
3 changed files with 25 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
manila/policy.py
View File

@ -16,48 +16,27 @@
"""Policy Engine For Manila""" """Policy Engine For Manila"""
import functools import functools
import os.path
from oslo.config import cfg
from manila import exception from manila import exception
from manila.openstack.common import policy from manila.openstack.common import policy
from manila import utils
CONF = cfg.CONF
_ENFORCER = None _ENFORCER = None
_POLICY_PATH = None
_POLICY_CACHE = {}
def reset(): def reset():
global _POLICY_PATH
global _POLICY_CACHE
global _ENFORCER global _ENFORCER
_POLICY_PATH = None if _ENFORCER:
_POLICY_CACHE = {} _ENFORCER.clear()
_ENFORCER = None _ENFORCER = None
def init(): def init(policy_path=None):
global _POLICY_PATH
global _POLICY_CACHE
global _ENFORCER global _ENFORCER
if not _POLICY_PATH:
_POLICY_PATH = CONF.policy_file
if not os.path.exists(_POLICY_PATH):
_POLICY_PATH = utils.find_config(_POLICY_PATH)
if not _ENFORCER: if not _ENFORCER:
_ENFORCER = policy.Enforcer(policy_file=_POLICY_PATH) _ENFORCER = policy.Enforcer()
utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE, reload_func=_set_rules) if policy_path:
_ENFORCER.policy_path = policy_path
_ENFORCER.load_rules()
def _set_rules(data):
global _ENFORCER
default_rule = CONF.policy_default_rule
_ENFORCER.set_rules(policy.Rules.load_json(
data, default_rule))
def enforce(context, action, target, do_raise=True): def enforce(context, action, target, do_raise=True):

10
manila/tests/conf_fixture.py
View File

@ -14,9 +14,13 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo.config import cfg import os
CONF = cfg.CONF from manila.common import config
CONF = config.CONF
_POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path,
'manila/tests/policy.json'))
def set_defaults(conf): def set_defaults(conf):
@ -24,7 +28,7 @@ def set_defaults(conf):
conf.set_default('verbose', True) conf.set_default('verbose', True)
conf.set_default('connection', "sqlite://", group='database') conf.set_default('connection', "sqlite://", group='database')
conf.set_default('sqlite_synchronous', False) conf.set_default('sqlite_synchronous', False)
conf.set_default('policy_file', 'manila/tests/policy.json') conf.set_default('policy_file', _POLICY_PATH)
conf.set_default('share_export_ip', '0.0.0.0') conf.set_default('share_export_ip', '0.0.0.0')
conf.set_default('service_instance_user', 'fake_user') conf.set_default('service_instance_user', 'fake_user')
conf.set_default('share_driver', conf.set_default('share_driver',

18
manila/tests/test_policy.py
View File

@ -33,6 +33,7 @@ CONF = cfg.CONF
class PolicyFileTestCase(test.TestCase): class PolicyFileTestCase(test.TestCase):
def setUp(self): def setUp(self):
super(PolicyFileTestCase, self).setUp() super(PolicyFileTestCase, self).setUp()
# since is_admin is defined by policy, create context before reset # since is_admin is defined by policy, create context before reset
@ -40,26 +41,27 @@ class PolicyFileTestCase(test.TestCase):
policy.reset() policy.reset()
self.target = {} self.target = {}
def tearDown(self):
super(PolicyFileTestCase, self).tearDown()
policy.reset()
def test_modified_policy_reloads(self): def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir: with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy') tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename) self.flags(policy_file=tmpfilename)
action = "example:test" action = "example:test"
with open(tmpfilename, "w") as policyfile: with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": []}""") policyfile.write("""{"example:test": []}""")
policy.init(tmpfilename)
policy.enforce(self.context, action, self.target) policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile: with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ["false:false"]}""") policyfile.write("""{"example:test": ["false:false"]}""")
# NOTE(vish): reset stored policy cache so we don't have to # NOTE(vish): reset stored policy cache so we don't have to
# sleep(1) # sleep(1)
policy._POLICY_CACHE = {} policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, self.assertRaises(
self.context, action, self.target) exception.PolicyNotAuthorized,
policy.enforce,
self.context,
action,
self.target,
)
class PolicyTestCase(test.TestCase): class PolicyTestCase(test.TestCase):